We recently discussed the perfect IT storm that is currently brewing in business. BYOD, Unified Access, Video, the Many Clouds, SDN… all happening at once, on current infrastructure, and yet demanding more.

Some of the comments you made further emphasized the need to have an architectural approach.

Discussing VDI deployments with our customers in EMEAR, two things really are at the centre of our discussions from an infrastructure standpoint.

– Security, which I’ll discuss in today’s post.

– Latency and user experience. Two recent posts, here and here, provide great insight on how to tackle this challenge.

I have therefore asked Steinthor Bjarnason (sbjarnas@cisco.com), Senior EMEAR Security Consultant, based out of Norway, to give me his perspective. He has 15 year experience in the security space and his perspectives are drawn from numerous customer projects, both in the Enterprise and the Service Provider space.

Q. Steinthor, what challenges are you seeing in VDI Deployments?

“The deployment of Virtual Desktop Infrastructure (VDI) solutions has dramatically increased during in recent years, primarily due to the increase of remote workers but also due to the increased use of Bring-Your-Own-Device (BYOD). VDI solutions consolidate the user working environment within a virtual environment, creating pools of virtual machines (VMs), which give the users access to their workspace from any location using any type of device.

The challenge is that that the different users groups (HR, Finance, Development, …) will require different type of access to their resources, HR users should only be allowed to access HR services, Finance users should only be allowed to access Finance services, etc.

Q. How has this challenge traditionally been addressed?
This has traditionally been solved by directing the different user groups to dedicated groups of servers which host the VM’s for that specific group. The security privileges are then linked to the physical servers by using VLANs or other separation technologies. The user identification is done using the Connection Broker, which will then map the user to his server group and connect him to the least loaded server within that group.

This approach is both labour intensive and will result in sub optimal usage of the different server groups. If many HR users connect at the same time, the servers hosting their VM’s could be overloaded while the Finance servers could at the same time, be lightly loaded.

Instead of grouping the servers and the VM’s based on the user group, all servers and VM’s are deployed in the same manner, creating a single pool of available VMs.

By deploying Cisco Anyconnect (3.0) on the VM images, it is possible to trigger 802.1X user authentication when the user connects to the VM.

The VM access switch which the server hosting the VM connects to, will contact the Identity Services Engine (ISE) for authentication and authorization. ISE will return the appropriate Security Group Tag based on the user identify.

This tag can then be used to tag all the traffic from the VM which the user is using, making it possible to control the flow of data using SGT’s instead of relying on which VLAN the users VM server is connected to.

This solution simplifies VDI deployment as all VMs and servers can now be used for any type of user, removing the need for keeping separate pools of VMs for each user group. Also, the requirement for advanced configuration of the Connection Broker is removed, making the entire VDI deployment a lot more streamlined and optimized.”

Thank you Steinthor.

Megatrends bring their own set of security challenges. Solving them architecturally using technologies that can be pervasively deployed throughout the network is in my opinion the only sustainable and cost effective way.

I hope this has been useful. So now you’re turn: How have you been addressing the VDI security challenges in your networks?

Hello Eric,
Very nice post. TrustSec is a fantastic technology that not only gives value to the network, but also allows a level of security and flexibility never seen before.
I'm very glad we're spreading this message.
See you around.

Thanks Gabriel for your positive coment.
Could not agree more.
Pervasive network security + purpose-build security appliances fulfilling very specific functions in very specific places in the network (and ideally also being Trustsec-aware, like Cisco ASA and vASA) is how we can architecturally and cost effectively address moving forward the security chalenges the current IT megatrends bring. Eric

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.